Law No. 21,398 on measures to promote the protection of consumers' rights, incorporates Article 15 bis to Law No. 19,496 on Consumer Protection (hereinafter, the "CPL"), which expressly extends the mandate and functions conferred to SERNAC in Article 58 of the CPL to the processing of consumers' personal data that takes place within the framework of a consumer relationship.
In this regard, SERNAC has established guidelines and requirements for providers with respect to the processing of consumers' personal data in the following Interpretative Instructions:
- Interpretative Instruction on equity criteria in the provisions contained in consumer pre-formulated standard contracts (Exempt Resolution No. 931 of December 3, 2021).
- Interpretative Instruction on consumer protection regarding the use of artificial intelligence systems in consumer relationships (Exempt Resolution No. 33 of January 18, 2022).
A description of the main contents of each Interpretative Instruction is provided below:
Interpretative Instruction on equity criteria in the provisions contained in consumer pre-formulated standard contracts (Exempt Resolution No. 931 of December 3, 2021)
This Interpretative Instruction states that clauses that authorize providers to collect and process consumers' personal data, which are usually found in Privacy Policies and Terms and Conditions, should be examined in accordance with consumer protection regulations regarding the equity of contractual provisions.
When assessing whether these clauses are abusive or not, it is important to consider a harmonious interaction between the provisions of the CPL and the provisions of Law No. 19,628 on data protection (hereinafter, the "DPL"). In particular, the following provisions must be considered:
- Article 16 letter G of the CPL: establishes the mechanism to examine the equity of the terms and conditions under which consumers give their authorization to the processing of their personal data. Such clauses must aim not to infringe the principle of contractual good faith, not to cause damages or losses to the consumer, nor create a significant inequality between the parties’ rights and obligations.
- Article 9 of the DPL: states the “Purpose Principle” for the processing of personal data, which implies that personal data may only be processed for the purposes for which they were collected and informed at the time of obtaining the data subject’s consent.
In this sense, SERNAC understands that providers must limit the processing of consumers´ personal data to the purposes for which they were initially collected and informed (Article 9 DPL) and that such purposes must satisfy the reasons that motivated the consumer to contract with the provider (Article 16 letter G CPL).
In addition, SERNAC points out that the following clauses will be considered abusive:
- Clauses in which the consumer generically authorizes the provider to process his/her personal data, without being previously informed of the purposes for which the provider will process it, nor identifying the third parties to whom the data could be transferred or the purpose for which these third parties could process such data.
- Clauses in which the consumer irrevocably authorizes the provider to process his/her personal data.
- Clauses in which the consumer relieves the provider of any liability that may arise from to the processing of his/her personal data.
- Clauses in which the consumer releases the provider from complying with the security obligations and responsibilities related to the processing of his/her personal data.
SERNAC specifies that a further Interpretative Instruction will address the equity of stipulations on the collection and processing of consumers' personal data.
Interpretative Instruction on consumer protection regarding the use of artificial intelligence systems in consumer relationships (Exempt Resolution No. 33 of January 18, 2022)
This Interpretative Instruction establishes guidelines and requirements addressed to providers that process consumers' personal data, especially regarding those processes carried out through Artificial Intelligence systems.
1.- Personal Data:
Article 2 letter F of the DPL defines personal data as any "data relating to any information concerning identified or identifiable individuals”.
In this sense, SERNAC considers that personal data may be numerical, alphabetical, graphic, photographic, acoustic or any other type of data referring to a person whose identity may be determined by direct or indirect means of identification.
In addition, SERNAC provide that data related to behaviors, preferences or personal habits collected through Artificial Intelligence systems will be considered Sensitive Data. Considering the nature of this data and the risks involved in these activities, SERNAC indicates that providers must comply with a special duty of protection, which implies the implementation of appropriate technical and organizational security measures to ensure the confidentiality, integrity and availability of such data.
2.- Data subject’s consent:
Under the provisions of the DPL, the only legal basis for the processing of personal data are: (i) the law; and (ii) the data subject’s consent.
In this regard, SERNAC states that the provider must assure the obtention (and verification) of a valid consent (specific, express, and informed regarding the purpose of the data processing and its possible communication to third parties) and provide sufficient means for the consumer to exercise the right to revoke his/her authorization (at least by providing the same means by which the consumer gave his/her consent).
3.- Personal data processing:
Article 2 letter O of the DPL defines the processing of personal data as “any operation or combination of operations or technical procedures, whether automated or not, enabling the collection, storage, recording, organization, processing, selection, extraction, comparison, interconnection, dissociation, communication, assignment, transfer, transmission or cancellation of personal data, or their use in any other manner”.
In this sense, SERNAC includes within the personal data processing operations the use of automated databases (Artificial Intelligence system) aimed to make predictions, recommendations, or decisions within the framework of a consumer relationship.
In addition, SERNAC states that the processing of personal data by Artificial Intelligence system providers must be carried out in accordance with the standards and principles of lawfulness, purpose, proportionality, confidentiality, security and accountability of the DPL.
Last, SERNAC establishes that the provider must take care of personal data with due diligence, assuming responsibility for any damage caused (Article 11 DPL).
4.- Data controller:
Article 2 letter N of the DPL defines data controller as “the individual or private legal entity, or the respective public agency, responsible for decisions related to processing personal data”.
SERNAC considers that the provider must be qualified as a data controller, and, in this sense must, comply with the following duties and obligations set forth in the DPL:
- Quality or accuracy of personal data: personal data must be accurate, up to date, complete and consistent.
- Deletion, cancellation and modification of personal data: personal data must be deleted or cancelled when its storage lacks legal basis or when said data has expired; and likewise, erroneous, inaccurate, misleading or incomplete data must be modified.
- Purpose of the processing: providers may only use personal data for the purposes for which they were initially collected (and informed at the time of obtaining consent). If the processing is authorized through clauses contained in consumer pre-formulated standard contracts, the purposes must satisfy the reasons that motivated the consumer to contract with the provider.
- Exercise of ARCO rights: the provider shall guarantee consumers the possibility of exercising their rights of access (or information), rectification, cancellation (or elimination) and opposition, without any limitation.